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TITLE OF THE INVENTION 
ENCRYPTION /DECRYPTION APPARATUS , ENCRYPTION /DECRYPTION 
METHOD, AND PROGRAM STORAGE MEDIUM THEREFOR 
BACKGROUND OF THE INVENTION 
This application is based on Japanese Patent 
Application No. 10-233921, filed August 20, 1998, the 
contents of which are incorporated herein by reference. 

The present invention relates to an encryption/ 
decryption apparatus and method and, more particularly, 
to an encryption /decryption apparatus and method which 
use secret key block encryption and a program storage 
medium therefor. 

The DES (Data Encryption Standard) is secret key 
block encryption that has currently been used most 
widely, which is described in detail in Jpn. Pat. Appln. 
KOKAI Publication No. 51-108701. 

The DES has been evaluated in various viewpoints, 
and decryption methods such as a differential 
decryption method and linear decryption method, which 
are more effective than a key exhaustive search method, 
have been proposed. 

Note that the differential decryption method is 
disclosed in E. Biham and A. Shamir, "Differential 
Cryptanalysis of DES-like Cryptosystems , " Journal 
of CRYPTOLOGY, Vol. 4, Number 1, 1991. The linear 
decryption method is disclosed in Mitsuru Matsui, 
"Linear Decryption of DES ciphertext (I)", Encryption 
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and Information Security Symposium, SCIS93-3C, 1993. 

There is a new decryption method based on power 
consumption differences. In this method, power 
consumption differences between given bits of data 
5 (power consumption corresponding to bit 0 and power 

consumption corresponding to bit 1 ) are measured to 
estimate bits. In the case of the DES, for example, 
an input to an S-box and a corresponding output are 
estimated on the basis of a known ciphertext output and 

10 estimation of a key. A power consumption difference 

that appears when a given one bit is 0 or 1 , which is 
estimated on the basis of the output from the S-box, 
is measured to check the validity of estimation, i.e., 
the validity of estimation of the key. 

15 For this reason, there is a possibility that a DES 

ciphertext is decrypted by the above method, and hence 
higher security has been required. 

BRIEF SUMMARY OF THE INVENTION 
It is an object of the present invention to 

20 provide an encryption/decryption apparatus and method 

which make it difficult to perform decryption by 
a technique based on power consumption differences 
without changing the data encryption processing result 
obtained by a conventional encryption/decryption 

25 apparatus and method, and a program storage medium for 

the apparatus and method. 

in order to achieve the above object, according to 



the first aspect of the present invention, there is 
provided an encryption apparatus for converting a 
plaintext block into a ciphertext block depending on 
supplied key information, comprising means for randomly 
5 selecting one pattern of each of pairs ai, ai (where 

i is a positive integer not less than one) of one or 
a plurality of predetermined mask patterns and mask 
patterns obtained by bit inversion of the predetermined 
mask patterns every time encryption is performed, 
10 means for masking bits dependent on a plaintext within 

the apparatus with the mask pattern selected by the 
selection means, and means for removing an influence of 
the mask a from a ciphertext before the ciphertext is 
output . 

15 According to the second aspect of the present 

invention, there is provided an encryption apparatus 
for converting a plaintext block into a ciphertext 
block depending on supplied key information, comprising 
means for randomly selecting one pattern of each of 

2 0 pairs ai, ai (where i is a positive integer not less 

than one) of one or a plurality of predetermined mask 
patterns and mask patterns obtained by bit inversion of 
the predetermined mask patterns every time encryption 
is performed, means for masking intermediate bit data 

2 5 within the apparatus with the mask pattern selected 

by the selection means, and means for removing an 
influence of the mask a from the intermediate bit data 
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masked by the masking means. 

According to the third aspect of the present 
invention, there is provided an encryption method of 
converting a plaintext block into a ciphertext block 
5 depending on supplied key information, comprising the 

steps of randomly selecting one pattern of each of 
pairs ai, ai (where i is a positive integer not less 
than one) of one or a plurality of predetermined mask 
patterns and mask patterns obtained by bit inversion of 
10 the predetermined mask patterns every time encryption 

is performed, masking bits dependent on a plaintext 
within the method with the selected mask pattern, and 
removing an influence of the mask a from a ciphertext 
before the ciphertext is output. 
15 According to the fourth aspect of the present 

invention, there is provided an encryption method of 
converting a plaintext block into a ciphertext block 
depending on supplied key information, comprising the 
steps of randomly selecting one pattern of each of 
20 pairs ai, ai (where i is a positive integer not less 

than one) of one or a plurality of predetermined mask 
patterns and mask patterns obtained by bit inversion of 
the predetermined mask patterns every time encryption 
is performed, masking intermediate bit data within the 
25 method with the selected mask pattern, and removing an 

influence of the mask a from the masked intermediate 
bit data. 
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According to the fifth aspect of the present 
invention, there is provided a computer-usable program 
storage medium storing computer-readable program 
code means for converting a plaintext block into a 
5 ciphertext block depending on supplied key information, 

comprising computer-readable program code means for 
causing a computer to randomly select one pattern of 
each of pairs ai, a! (where i is a positive integer not 
less than one) of one or a plurality of predetermined 

10 mask patterns and mask patterns obtained by bit 

inversion of the predetermined mask patterns every time 
encryption is performed, computer-readable program code 
means for causing the computer to mask bits dependent 
on a plaintext within the method with the selected mask 

15 pattern, and computer-readable program code means for 

causing the computer to remove an influence of the mask 
a from a ciphertext before the ciphertext is output. 

According to the present invention, original data 
is masked, and the mask is removed immediately before 

2 0 it is input to each S-box. When this mask is removed, 

there is a possibility that the data may be decrypted 
by the above technique based on power consumption 
differences. For this reason, according to the present 
invention, mask removal processing immediately before 

25 the data is input to each S-box, input operation of 

the original data to each S-box immediately after mask 
removal, and masking operation for the output from each 



S-box are calculated in advance and stored as a table, 
and the calculation result is obtained by looking up 
the table. For this reason, neither calculation of 
an exclusive OR for mask removal nor calculation of 
5 an exclusive OR for masking are performed during 

encryption and decryption, the data cannot be decrypted 
by the technique based on power consumption differences. 

According to the present invention, consistency 
of encryption and decryption is ensured, and security 
10 against the decryption technique based on power 

consumption differences can be improved by making it 
difficult to decrypt data by the technique based on 
power consumption differences. 

Additional objects and advantages of the invention 
15 will be set forth in the description which follows, and 

in part will be obvious from the description, or may 
be learned by practice of the invention. The objects 
and advantages of the invention may be realized and 
obtained by means of the instrumentalities and combina- 
20 tions particularly pointed out hereinafter. 

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING 
The accompanying drawings, which are incorporated 
in and constitute a part of the specification, illust- 
rate presently preferred embodiments of the invention, 
25 and together with the general description given above 

and the detailed description of the preferred embodi- 
ments given below, serve to explain the principles of 



the invention. 

FIG. 1 is a block diagram showing the overall 
arrangement of a DES algorithm; 

FIG. 2 is a block diagram showing the arrangement 
of the round functions of the DES; 

FIG. 3 is a table showing an example of the 
contents of an S-box conforming to a DES standard 
table; 

FIG. 4 is a block diagram showing an arrangement 
in which masks are added to round functions according 
to the present invention; 

FIG. 5A is a circuit diagram showing an arrange- 
ment in which a mask is added to the input round 
according to the present invention; 

FIG. 5B is a circuit diagram showing an arrange- 
ment in which a mask is added to the final round 
according to the present invention; 

FIG. 6 is a table showing an expansion E; 

FIG. 7 is a table showing a permutation P; 

FIG. 8 is a view showing a concealed output from 
SI which corresponds to an input (000000, 000001, 
111111) in the use of a mask a; 

FIG. 9 is a table of a mask a (bit inversion 
of a) ; 

FIG. 10 is a block diagram showing an arrangement 
of a DES algorithm according to an embodiment; 

FIG. 11 is a block diagram showing an arrangement 



obtained by adding masks to the round functions in the 
arrangement in FIG. 10; 

FIG. 12 is a block diagram showing the arrangement 
of S in FIG. 11; 

FIG. 13 is a block diagram showing another 
arrangement of a DES algorithm according to an 
embodiment ; 

FIG. 14 is a block diagram showing an arrangement 
obtained by adding masks to the round functions in the 
arrangement in FIG. 13; 

FIG. 15 is a block diagram showing the arrangement 
of S in FIG. 14; 

FIG. 16 is a block diagram showing the arrangement 
of a key scheduler of a DES algorithm; 

FIG. 17 is a block diagram showing an arrangement 
in which a mask is added to the key scheduler according 
to the present invention; 

FIG. 18 is a block diagram showing an arrangement 
in which the mask added to the key scheduler is added 
to each round function according to the present 
invention; 

FIG. 19 is a flow chart showing the flow of 
processing in an encryption method according to an 
embodiment, which includes the step of masking bits 
dependent on a plaintext with selected mask patterns 
and the step of removing the influence of the masks 
described above from the ciphertext before it is 



output; 

FIG. 2 0 is a flow chart showing the flow of 
processing in an encryption method according to 
an embodiment; 

FIG. 21 is a flow chart showing the flow of 
processing in an encryption method according to an 
embodiment, which includes the step of removing the 
influence of masks from intermediate bit data during 
an encryption procedure and the step of masking the 
data with mask patterns; 

FIG. 22 is a flow chart associated with an 
encryption procedure according to an embodiment of 
the present invention; and 

FIG. 23 is a block diagram showing the arrangement 
of an IC card that implements the encryption/decryption 
method, and program storage medium therefor according 
to the present invention described above. 

DETAILED DESCRIPTION OF THE INVENTION 

An embodiment of the present invention will be 
described below with reference to the views of the 
accompanying drawing. 

FIG. 1 shows an arrangement of an encryption 
algorithm DES to which the present invention is applied. 
This arrangement is comprised of a data scrambler 1 
including 1st to 16th rounds for scrambling a plaintext 
(64 bits) 3 depending on an externally input key 8 
and outputting a corresponding ciphertext and a key 
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scheduler 2 for expanding key information k into an 
intermediate key to be supplied to the data scrambler 1 . 

Referring to FIG. 1, the plaintext (64 bits) 3 is 
subjected to an initial permutation IP 4 first, and 
5 then divided into two equal halves. The left 3 2 -bit 

data and right 3 2 -bit data of the two equal halves 
are respectively input to a round function 5. The 
structure of the round function will be described later. 
The left 32-bit data and right 32-bit data output from 
10 the round function are interchanged and input to the 

next round function. 

After these data are processed by the 16 round 
functions, a ciphertext 7 is output by a final 
permutation IP -1 6. 
15 FIG. 2 is a block diagram showing the details of 

the round function 5 in FIG. 1. A round function 17 
is constituted by a permutation E 11, exclusive OR 13, 
S-boxes 14, permutation P 15, and exclusive OR 16. 

The right 32-bit data is extended into 48-bit data 
2 0 by the permutation E 11. The resultant data is output 

to the exclusive OR 13. The exclusive OR 13 outputs 
the exclusive OR of the output from the permutation E 
11 and an extended key 12. The 48-bit data output from 
the exclusive OR 13 is equally divided into 6-bit data. 
25 Each 6-bit data is input to a corresponding one of the 

S-boxes 14. In this embodiment, each S-box is formed 
from a table, and outputs 4-bit data with respect to 
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a 64-entry 6-bit input. According to SI based on the 
DES, if the left and right ends of a 6-bit input are 
respectively regarded as the first and sixth bits, 
a row in a table of the S-box in FIG. 3 is designated 
5 by the first and sixth bits regarded as binary numbers. 

Note that the row numbers in the table of the S-box 
shown in FIG. 3 are counted from above as the Oth, 1st, 
2nd, and 3rd rows. A column number is then designated 
by the four remaining bits regarded as a binary number. 

10 The column numbers are also counted from the left end 

as the 0th 1st, 2nd, 3rd, 15th columns. If, for 

example, 011011 is input to SI, the row number is 01. 
That is, the second row from above is designated. 
Since the column number is 01101, i.e., 13 (14th column 

15 from left), the value in the table is 15. Therefore, 

SI outputs this value in binary notation, i.e., 0101. 
Referring to FIG. 3, each output from the S-box is 
designated by a row and column. In general, however, 
such an S-box is formed as a table corresponding to 

20 inputs ranging from 0 to 63. The 32-bit data obtained 

by combining outputs from the respective S-boxes 
is subjected to bit permutation operation by the 
permutation P 15. The resultant data is output to 
the exclusive OR 16. The exclusive OR 16 outputs the 

25 exclusive OR of the left 3 2 -bit data and the output 

from the permutation P 15. 

FIG. 4 is a circuit diagram showing the details of 
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the round function 5 in FIG. 4 and the round function 
17 in FIG. 2. FIG. 5A shows an arrangement for an 
input to the first round function. FIG. 5B shows an 
arrangement for an output from the 16th round function. 
5 An embodiment of the present invention will be 

described in detail below with reference to FIGS. 4, 5A, 
and 5B. 

Referring to FIG. 4, reference symbols a and b 
respectively denote 32-bit masks; and a, inversion 

10 of all bits. In a round function 35 in FIG. 4, an 

exclusive OR 25 calculates the exclusive OR of the 
right 32-bit data and an output from a switch SW23 and 
outputs it to an expansion E 26. An output from the 
expansion E 26 is exclusive-ORed with an extended key 

15 Ki by an exclusive OR 27. The resultant data is output 

to a switch SW12. The switch SW12 causes the data to 
branch in accordance with a random number sequence Rij. 
If Rij is 0, the switch SW12 causes the data to branch 
to the 0 side. If Rij is 1, the switch SW12 causes the 

2 0 data to branch to the 1 side. 

FIG. 4 shows the arrangement of each S-box after 
branching at the switch SW12. An S-box 2 9 corresponds 
to SI to S8 based on the DES. 

When the switch SW12 causes data to branch to the 

25 0 side, the process indicated by a dashed line 34a is 

performed. More specifically, an exclusive OR 32a 
calculates the exclusive OR of the output from the 
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exclusive OR 27 and six bits (E(a)) of the result 
obtained by performing the expansion E for the mask a 
which corresponds to an input of the S-box, and outputs 
the resultant data to the S-box 29. The S-box 29 

5 outputs the result obtained by looking up the table of 

the S-box to an exclusive OR 33a. 

The exclusive OR 33a calculates the exclusive OR 
of bits of p -1 (a) as the result obtained by performing 
inverse permutation p -1 for the mask a and the output 

10 from the S-box 2 9 , and outputs the resultant data to 

the switch SWll. 

When the switch SW12 causes the data to branch to 
the 1 side, the process indicated by a dashed line 34b 
is performed. More specifically, an exclusive OR 32b 

15 calculates the exclusive OR of the output from the 

exclusive OR 2 7 and bits of the result obtained by 
performing the expansion E for the mask a which 
corresponds to an input of the S-box, and outputs the 
resultant data to the S-box 29. The S-box 2 9 looks up 

2 0 the table of the corresponding S-box and outputs the 

resultant data to the exclusive OR 33b. 

The exclusive OR 33b calculates the exclusive OR 
of four bits of p _1 (a) as the result obtained by 
performing inverse permutation p -1 of a permutation 

2 5 P(30) for the mask a which corresponds to an output 

from the S-box and the output from the S-box 29, and 
outputs the resultant data to the switch SWll. 



Note that the processes indicated by the dashed 
lines 34a and 34b must not be performed during 
encryption and decryption. This is because , even if 
data is concealed with the above mask, since input/ 
output operation of the S-box 29 is not concealed, 
decryption may be attempted by using power consumption 
differences in S-box processing. 

in this embodiment of the present invention, the 
results of the processes indicated by the dashed lines 
34a and 34b are obtained first by pre-calculation 
performed before encryption and decryption, and 
encryption processing and decryption processing are 
then performed. For example, a table in which the 
index of each input to each S-box and a corresponding 
output are rewritten is prepared for each S-box, and 
is used for encryption and decryption. In this case, 
a table of an S-box corresponding to the mask a and 
a table of an S-box corresponding to the mask a are 
prepared. For example, the following is the result 
obtained by calculating the process block 34a in FIG. 4 
using the mask a. Assume that the mask a is (0110 1111, 
1100 1010 0110 1100 1100 0011). The expansion E is 
expressed by the table shown in FIG. 6. In the table 
shown in FIG. 6, the respective rows correspond to 
inputs to SI, S2, S8 from above. In addition, the 

first bit on the left end of each column corresponds to 
the first bit of an input to a corresponding S-box. 
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Each number in the table represents the Xth bit of 
a corresponding input to the expansion E. That is, 
the input to SI includes the 32nd, 1st, 2nd, 3rd, 4th, 
and 5th bits of the input to E. With the above mask a, 
5 therefore, a bit mask (a) corresponding to the input 

to SI is (101101). FIG. 7 shows a table of the 
permutation P. Referring to FIG. 7, the numbers 
sequentially correspond to the first to 32nd bits of 
the output from P from the left (the first and second 
10 rows are contiguous). Each term represents the Xth bit 

of an input. That is, the first bit of the output from 
permutation P is the 16th bit of the input. The bits 
corresponding to SI are the 1st, 2nd, 3rd, and 4th bits 
of the input to the permutation P, and hence respec- 
15 tively correspond to the 9th, 17th, 23rd, and 31st bits 

of the output from P. Since a mask corresponding to 
the output from SI is p _1 (a), i.e., the output from P 
is a, the 9th, 17th, 23rd, and 31st bits of the mask a 
become p _1 (a). The mask corresponding to the output 
20 from SI is therefore (1001). With the above mask a, 

therefore, a bit mask E(a) corresponding to the input 
to SI is (101101), and a bit mask p _1 (a) corresponding 
to the output from SI is (1001). According to the 
actually formed table corresponding to the mask a, the 
25 output from SI is calculated by using the result of the 

exclusive OR of the input and the bit mask E(a) as the 
input to SI, and an output from the table is obtained 
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by adding the bit mask p _1 (a) to the output from SI by 
exclusive OR. FIG. 8 shows an output (corresponding to 
an input of 0 to 63) of concealed SI when the input 
corresponds to (000000, 000001, . .., 111111), in the 
case of the above mask a. FIG. 9 shows a table of the 
mask a (bit inversion of a) . 

The outputs from the respective process blocks 
indicated by the dashed lines 34a and 34b are 
permutated by a permutation P 30. The resultant data 
is output to an exclusive OR 31. The exclusive OR 31 
calculates the exclusive OR of the left 32-bit data and 
the output from the permutation P 30. An exclusive OR 
24 calculates the exclusive OR of the right 32-bit data 
and the output from the switch SW13 to obtain new right 
32-bit data. 

Referring to FIG. 5A, the result obtained by 
permutating the plaintext (64 bits) by initial 
permutation IP 41a is divided into equal halves, i.e., 
right 32-bit data and left 32-bit data. An exclusive 
OR 44a calculates the exclusive OR of the left 32-bit 
data and an output from a switch SW21. The output from 
this exclusive OR 44a becomes the left 32-bit data of 
an input of the first round function. An exclusive OR 
42a calculates the exclusive OR of the right 32-bit 
data and an output from a switch SW14. An exclusive OR 
43a calculates the exclusive OR of the output from the 
exclusive OR 42a and an output from a switch SW22. 



The output from the exclusive OR 43a becomes the 
right 3 2 -bit data of an input of the first round 
function. In the case shown in FIG. 5A, the sequence 
of the exclusive ORs 42a and 43a may be interchanged 
in accordance with the characteristics of the 
exclusive ORs. 

Referring to FIG. 5B, the result obtained by 
permutating the plaintext (64 bits) by initial 
permutation IP 41a is divided into equal halves, i.e., 
right 32-bit data and left 32-bit data. An exclusive 
OR 44b calculates the exclusive OR of the left 32-bit 
data and the output from the switch SW21. This 
eliminates the influence of the mask in the exclusive 
OR 43a in FIG. 5A. The output from the exclusive OR 
44b is input to a final permutation IP" 1 41b. An 
exclusive OR 42b calculates the exclusive OR of the 
right 32-bit data and the output from the switch SW14. 
An exclusive OR 43b calculates the exclusive OR of the 
output from the exclusive OR 42b and the output from 
switch SW22. This eliminates the influence of the mask 
in the exclusive OR 44a in FIG. 5A. The output from 
the exclusive OR 43b is input to the final permutation 
IP -1 41b. Referring to FIG. 5B, the sequence of 
the exclusive ORs 42b and 43b may be interchanged 
in accordance with the characteristics of the 
exclusive ORs. 

The characteristics of the arrangement shown in 
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FIGS. 4, 5A, and 5B will be described below. 

The exclusive ORs 44a, 42a, and 43a conceal data 
by using masks such as the masks a and b_. With this 
operation, in the data scrambler, it is difficult to 
5 observe the left 32-bit data and right 32-bit data from 

the outside world. If, however, data is concealed by- 
using the above masks, inputs to the respective S-boxes 
14 in FIG. 2 differ from the original plaintext data, 
and hence outputs from the S-boxes differ. Therefore, 

10 the output ciphertext does not correspond to the 

original plaintext data. 

in order to solve the above problem, in each round 
function, the exclusive OR 25 in FIG. 4 calculates the 
exclusive OR of the mask b or mask b . This eliminates 

15 the influence of concealment using the mask b or b 

added in FIG. 5A. If the switch SW12 causes the 
data to branch to the 0 side, the exclusive OR 32a 
eliminates the influence of concealment using the mask 
a in FIG. 5A. That is, the input to S29 becomes the 

20 same as the original plaintext input. The output from 

S29 is concealed again by the exclusive OR 33a using 
the mask a. In this case, the process block 34a is 
performed in advance by looking up the table, no 
significant changes in power consumption data directly 

25 associated with the input/output operation of S29 can 

be observed from the outside world. 

The exclusive OR 24 in FIG. 4 temporarily 
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eliminates the influence of the mask a or a on the 
right 32-bit data. However, the right 32-bit data is 
still concealed by the mask b or b , and hence security 
is ensured. The right 32-bit data becomes left 32-bit 
5 data on the next round. The exclusive OR 31 calculates 

the exclusive OR of the left 32-bit data and the output 
from permutation P30. As a consequence, the data is 
concealed by the mask a (or a) and mask b (or b) and 
becomes a right input on the next round. As described 

10 above, therefore, consistency among the respective 

S-boxes is maintained in terms of DES for translation. 

At the output of the final round, to eliminate the 
influence of each mask on concealment in FIG. 5A, the 
exclusive OR using each mask in FIG. 5B is performed. 

15 The switches SWll, SW12, SW13, and SW14 are 

controlled by a random number sequence {Rli}. 
The switches SW21, SW2 2, and SW23 are controlled by 
a random number sequence {R2i}. For example, each 
switch selects a branch to the 0 side when Rji = 0, and 

20 selects a branch to the 1 side when Rji = 1. The 

random number sequences {Rli} and {R2i} for controlling 
the switches are characterized by being changed for 
each of encryption and decryption processes for the 
respective blocks. For example, in a given encryption 

25 process, all the switches SWll, SW12, SW13, and SW14 on 

the respective rounds perform processing on the 0 side. 
In another encryption process, all the switches SWll, 
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SW12, SW13, and SW14 on the respective round perform 
processing on the 1 side. 

If there is a clear relationship of dependence 
between the random number sequences {Rli> and {R2i}, 
5 an attacker has a clue to the estimation of the masks 

a and b, random number sequences having no clear 
relationship of dependence are used as the random 
number sequences {Rli} and {R2i}. Ideally, the use of 
two random number sequences which are statistically 

10 independent is recommended. In practice, however, even 

if there is a statistical dependence relationship, this 
technique is effective as a measure against decryption 
based on power consumption differences, as long as the 
influence is sufficiently small. Two m sequence 

15 generators may be prepared as means for implementing 

the present invention, and outputs from the first and 
second m sequence generators may be respectively set 
to {Rlj} and {R2j}. If the period of an m sequence is 
sufficiently long and the sequence lengths of the two m 

2 0 sequence generators, corresponding convention 

polynomials, and part or all of initial values are 
made to differ from each other, the above condition 
can be sufficiently satisfied. As another means for 
implementing random number sequences, one m sequence 

25 generator may be prepared to generate two bits for each 

encryption or decryption process. The first and second 
bits are respectively used as {Rlj} and {R2j}. 
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Although the m sequence generators are presented 
as practical examples in this case, any random number 
sequence generator can be used as long as security in 
practice can be ensured. Note that these random number 
5 sequences must be implemented so as not to be estimated 

from the outside world. According to still another 
implementation means, random number sequences may be 
stored in a memory in advance to be sequentially 
referred to. Note that these random number sequences 

10 must be implemented so as not to be estimated from the 

outside world. 

Referring to FIGS. 4, 5A, and 5B, the number of Is 
of a bit sequence, i.e., a Hamming weight, is defined 
as H(a). In decryption using the technique based on 

15 power consumption differences, power consumption 

differences in a data encryption process are observed 
to acquire information about an encryption key. 
The concealment of data using the above masks makes it 
difficult to bring power consumption measurement from 

2 0 the outside world into correspondence with processed 

data. If, however, the Hamming weights of masks 
differ from each other, only data using only the masks 
a and b may be extracted in accordance with measurement 
of a plurality of encryption data and statistical 

25 information. If, only such data can be extracted, 

a key can be extracted as in the prior art by using 
the decryption technique based on power consumption 



differences. Since the currently used mask can be 
discriminated as the mask a or a in this manner, 
satisfactory countermeasures cannot be taken. If, for 
example, the Hamming weights of the masks a and a or 
5 masks b and b are set to be equal, it is difficult to 

discriminate the masks by measurement from the outside 
world, thus ensuring security. If, however, the bit 
weights of the masks are offset, the security greatly 
deteriorates . 

10 Referring to FIGS. 4, 5A, and 5B, if, therefore, 

masks that satisfy H(a) = H(a) = H{b) = H(b) = n/2 = 
16 are selected (the Hamming weights of the masks 
are equal to each other), high security is ensured. 
In this case, since a bit count n of each of the masks 

15 a and b is 32, a mask value of 16 is preferably used as 

the bit weight of each of the masks a and b and the bit 
inversions of the masks a and b. Ideally, as described 
above, a mask having a Hamming weight corresponding to 
half of the bit length of the mask is preferably used. 

2 0 However, the same effect as described above can be 

obtained by using two masks having almost the same 
Hamming weight. In other words, if the Hamming weight 
indicating the number of bits 1 of an n-bit long bit 
sequence x is defined as H(x), the Hamming weight H(a) 

25 of the mask a satisfies 0 < H(a) < n. Alternatively, 

the absolute value of the difference between the 
Hamming weight H(a) of the mask a and the Hamming 
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weight H(a) of the bit inversion a of the mask a is 
less than n/2. 

That is, if the Hamming weights of the respective 
masks are not extremely offset, it is not easy to 
5 discriminate the masks by measurement from the outside 

world. Therefore, the effect of a countermeasure 
against the technique based on power consumption 
differences can be obtained. 

Consider the characteristics of the expansion E 2 6 

10 based on the DES in FIG. 4. For the same reason as 

that for the selection of a mask value in consideration 
of Hamming weights, masks whose Hamming weights E(a) 
and E(a) applied to the exclusive ORs 32a and 32b are 
equal to each other are selected. That is, masks 

15 satisfying H ( E ( a ) ) = H ( E ( a ) ) are selected. 

When the above mask condition is applied to the 
implementation of the DES, for example, it is required 
that both the number of Is of the "first bits" (the 
bits on the left ends) of the respective 4-bit blocks 

2 0 of the mask a and the number of Is of the "fourth bits" 

(the bits on the right ends) of the respective 4-bit 
blocks of the mask a are 4 each. That is, this 
embodiment is characterized by selecting the masks 
a and b that satisfy the above condition. As mask 

25 value that satisfy the above condition, 

(10000011111011011110010100100001)2, 

(11011010011001010011010110001010)2. and the like can 



be used. 

Ideally, the use of mask values that satisfy the 
above condition is recommended. However, a similar 
effect can be obtained if "the number of Is of the 
"first bits" of the respective 4-bit blocks of the 
mask a" and "the number of Is of the "fourth bits" of 
the respective 4-bit blocks of the mask a" are not 
extremely offset. 

In using the mask values that satisfy the above 
condition, when there is no clear correspondence 
between the random number sequences {Rlj} and {R2j} 
for controlling the switches, even if the same mask 
value is used for the masks a and b, effective 
countermeasures can be taken against decryption using 
the technique based on power consumption differences. 

The DES arrangement shown in FIG. 1 is most widely 
known. However, DES arrangement methods having 
undergone various equivalent modifications to attain 
an increase in processing speed have been known. 

Modifications in which the present invention is 
applied to the DES will be described below. 

FIG. 10 shows an equivalent modification of the 
DES. In the implementation of the DES in FIG. 10, in 
order to improve the processing efficiency, the permu- 
tation E 11 and the permutation P 15 are integrated 
into one permutation and processed as an EP 53. 
The output obtained by permutating an input plaintext 
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58 by an initial permutation IP 57 is divided into 
equal halves. The right 32-bit data is input to an 
expansion E 51a, and the left 32-bit data is input to 
an expansion E 51b. The 48 bits output from the 
5 expansion E 51a are the right 48 bits of an input to 

the first round. The 48 bits output from the expansion 
E 51b are the left 4 8 bits of an input to the first 
round. An exclusive OR 55 calculates the exclusive OR 
of the right 4 8 bits of the input and an extended key 

10 Kl, and outputs the resultant data to an S-box 54. 

The S-box 54 outputs a corresponding output to the EP 
53 by looking up the table. The EP 53 permutates the 
input and outputs the resultant data to an exclusive OR 
56. The exclusive OR 56 calculates the exclusive OR of 

15 the left 48 bits output from the expansion E 51a and 

the output from the EP 53. The resultant data becomes 
the right 48 bits of an input to the next round. 
The above processing on the first round is repeated up 
to the 16th round. The right 48 bits output from the 

20 16th round are input to a contraction permutation E- 1 

52a, and the left 48 bits are input to a contraction 
permutation E- 1 52b. The respective 32-bit outputs are 
input to a final permutation IP** 1 59. As a consequence, 
a 64-bit ciphertext 6 0 is output. 

25 A method of preventing decryption using the 

technique based on power consumption differences by 
applying the present invention to such a modified DES 
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will be described below. 

FIG. 11 shows an embodiment of the implementation 
of the DES in FIG. 10 according to the present 
invention. Referring to FIG. 11, "E(a)/E(a)" indicates 
5 how the switch SW23 applies a mask based on an 

exclusive OR. That is, "E(a)/E(a)" indicates the mask 
E(a) or E( a ) . 

FIG. 11 shows an embodiment which indicates that 
the present invention shown in FIGS. 4, 5A, and 5B can 

10 be applied to the implementation of the DES in FIG. 10. 

The output obtained by performing an initial 
permutation for an input plaintext is divided into two 
equal halves. The right 32-bit data is input to 
an expansion E 61a, and the left 32-bit data is input 

15 to an expansion E 61b. An exclusive OR 64 calculates 

the exclusive OR of the 48-bit data output from the 
expansion E 61a and the mask E(a)/E(a) and outputs the 
resultant data to an exclusive OR 65. The exclusive OR 
65 calculates the exclusive OR of the output from the 

20 exclusive OR 64 and the mask E(b)/E(b) to obtain the 

right 48 bits of an input to the first round. Note 
that the sequence of the exclusive ORs 64 and 65 may be 
interchanged depending on the characteristics of the 
exclusive ORs. 

25 An exclusive OR 69 calculates the exclusive OR of 

the 4 8-bit data output from the expansion E 61b and the 
mask E(b)/E(b) to obtain the left 48 bits of an input 



to the first round. 

An exclusive OR 66 calculates the exclusive OR of 
the right 48 bits of the input and the mask E(a)/E(a) 
to obtain the left 48 bits of an input to the next 
round. An exclusive OR 67 calculates the exclusive OR 
of the right 48 bits of the input and the E(b)/E(b) 
and outputs the resultant data to an exclusive OR 68. 
The exclusive OR 68 calculates the exclusive OR of the 
output from the exclusive OR 67 and the extended key Kl 
and outputs the resultant data to S 62 ("~" indicates 
exponentiation) . The structure of S 62 will be 
described later. The output from S 62 is permuted by 
an EP 63 and output to an exclusive OR 70. 

The shift register 70 calculates the exclusive OR 
of the left 48 bits of the input data and the output 
from the EP 63 to obtain the right 48 bits of an input 
to the next round. The processing on the first round 
is repeated up to the 16th round. The output from the 
final round is subjected to processing reverse to that 
for the input to the first round. More specifically, 
the right 48 bits are subjected to the exclusive OR 65, 
exclusive OR 64, and contraction permutation E- 1 , 
whereas the left 4 8 bits are subjected to the exclusive 
OR 65 and contraction permutation E- 1 . The resultant 
two 32-bit data are output to the final permutation. 

FIG. 12 shows the structure of S 62 in FIG. 11. 

Referring to FIG. 12, a = E(a) and a = E(a). 
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An exclusive OR 71 calculates the exclusive OR of 
an input to S 62 and a mask a or a and inputs the 
resultant data to an S-box 72. An exclusive OR 73 
calculates the exclusive OR of the output from the 
5 S-box 72 and a mask p~ 1 E- 1 (a) or p~ 1 E- 1 (a) to obtain 

an output from S 62. 

That is, a block 74 in FIG. 12 corresponds to the 
process blocks 34a and 34b including the switches SW12 
and SW11 in FIG. 4. Note, however, that the process in 

10 the block 74 must not be performed during encryption 

and decryption. This is because, even if data is 
concealed with the above mask, since input/output 
operation of the S-box 72 is not concealed, decryption 
may be attempted by using power consumption differences 

15 in S-box processing. 

The embodiment of the present invention is 
characterized in that the result of the process in the 
block 74 is obtained first by calculation performed 
in advance before encryption and decryption, and are 

2 0 then used for encryption processing and decryption 

processing. For example, a table in which the index 
of each input to each S-box and a corresponding output 
are rewritten is prepared for each S-box and used as S 
for encryption processing and decryption processing. 

2 5 In this case, an S table corresponding to the mask a 

and an S table corresponding to the mask a are 
prepared in each S-box. 
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FIG. 13 shows another equivalent modification of 
the DES. 

In the implementation of the DES in FIG. 13, in 
order to improve the processing efficiency, the 
5 expansion E 11 and permutation P 15 are integrated into 

one permutation and processed as an EP 83. The output 
obtained by permutating an input plaintext 88 by 
an initial permutation IP 87 is divided into two 
equal halves. The right 32-bit data is input to 

10 a permutation p -1 81a, and the left 32-bit data is 

input to a permutation p -1 81b. The 32 bits output 
from the permutation p" 1 81b are the right 32 bits of 
an input to the first round. The 32 bits output from 
the permutation p _1 81b are the left 32 bits of an 

15 input to the first round. The right 32 bits of the 

input are input to the EP 83, and the resultant data 
obtained by performing an expansion for the input 
is output to an exclusive OR 85. The excitation 
reconstruction section 85 calculates the exclusive OR 

2 0 of the data and the extended key Kl and outputs the 

resultant data to an S-box 84. The S-box 84 outputs 
a corresponding output to an exclusive OR 86 by looking 
up the table. The exclusive OR 86 calculates the 
exclusive OR of the left 32 bits output from the 

25 expansion E 81b and the output from the S-box 84 to 

obtain the right 32 bits of an input to the next round. 
The processing on the first state is repeated up to the 
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16th round. 

At the output of the 16th state, the right 32 bits 
are input a permutation P 82a, and the left 32 bits 
are input to a permutation P 82b. The respective 
5 32-bit data are input to a final permutation IP -1 89. 

As a consequence, a 64-bit ciphertext 90 is output. 
A method of preventing decryption using the technique 
based on power consumption differences by applying the 
present invention to such a modification of the DES 
10 will be described below. 

FIG. 14 shows an embodiment of the equivalent 
modification of the DES in FIG. 13 according to the 
present invention. 

Referring to FIG. 14, "p -1 (a) /p -1 ( a ) " indicates 
15 how the switch SW2 3 applies a mask based on an 

exclusive OR. That is, "p -1 ( a) /p _1 ( a ) " indicates 
a mask p _1 (a) or p -1 (a). 

FIG. 14 shows an embodiment which indicates that 
the present invention shown in FIGS. 4, 5A, and 5B can 
20 be applied to the implementation of the DES in FIG. 13. 

The output obtained by performing an initial 
permutation for an input plaintext is divided into two 
equal halves. The right side 32-bit data is input to 
a permutation p _1 91a, and the left 32-bit data is 
25 input to a permutation p" 1 91b. An exclusive OR 94 

calculates the exclusive OR of the 32 bits output from 
the permutation p -1 91a and p _1 ( a ) /p -1 ( a ) and outputs 
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the resultant data to an exclusive OR 95. The inverter 
circuit 95 calculates the exclusive OR of the output 
from the exclusive OR 94 and the mask p -1 ( a) /p -1 ( a ) to 
obtain the right 32 bits of an input to the first round. 
5 Note that the sequence of the exclusive ORs 94 and 95 

may be interchanged depending on the characteristics of 
the exclusive ORs. 

An exclusive OR 9 6 calculates the exclusive OR 
of the right 32 bits of the input and the mask 

10 p _1 (a) /p -1 ( a ) to obtain the left 34 bits of an input 

to the next round. An exclusive OR 97 calculates the 
exclusive OR of the right 32 bits of the input and the 
mask p -1 (b) /p _1 ( b ) and outputs the resultant data to 
an EP 93. The 48-bit output obtained by expansion 

15 at the EP 93 is output to an exclusive OR 98 to be 

exclusive-ORed with the enlarge key Kl. The resultant 
data is output to S 92. The structure of S 92 will be 
described later. The output from S 92 is output to 
an exclusive OR 100 to be exclusive-ORed with the left 

2 0 32 bits of the input data so as to obtain the right 32 

bits of an input to the next round. The above 
processing on the first state is repeated up to the 
16th round. 

The output from the final round is subjected to 
25 processing reverse to that for the input to the first 

round. More specifically, the right 32 bits are 
subjected to the exclusive OR 95, exclusive OR 94, 



32 



and permutation P, whereas the left 32 bits are 
subjected to the exclusive OR 95 and permutation P. 
The resultant two 32-bit data are output to the final 
permutation . 

5 FIG. 15 shows the structure of S 92 in FIG. 14. 

Referring to FIG. 15, a = p -1 (a) and a = p _3 -(a). 
An exclusive OR 101 calculates the exclusive OR of 
an input to S 92 and a mask a or a and inputs the 
resultant data to an S-box 102. 

10 An exclusive OR 103 calculates the exclusive OR of 

the output from the S-box 102 and a mask p _1 E- 1 (a) or 
p-lE-l(a) to obtain an output from S 92. That is, 
a block 104 in FIG. 15 corresponds to the process 
blocks 34a and 34b including the switches SW12 and SW11 

15 in FIG. 4. Note, however, that the process in the 

block 104 must not be performed during encryption and 
decryption. This is because, even if data is concealed 
with the above mask, since input/output operation of 
the S-box 102 is not concealed, decryption may be 

2 0 attempted by using power consumption differences in 

S-box processing. The embodiment of the present 
invention is characterized in that the result of 
the process in the block 104 is obtained first by 
calculation performed in advance before encryption and 

2 5 decryption, and are then used for encryption processing 

and decryption processing. For example, a table in 
which the index of each input to each S-box and 
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a corresponding output are rewritten is prepared for 
each S-box and used as S for encryption processing and 
decryption processing. 

In this case, an S table corresponding to the mask 
5 a and an S table corresponding to the mask a are 

prepared in each S-box. 

An embodiment in which the present invention is 
applied to a key scheduler will be described next with 
reference FIGS. 16, 17, and 18. 

10 A mask pattern c for masking a bit pattern K of 

a true key and a bit inversion pattern c are prepared. 
Let Kc be the value obtained by converting K with c by 
using designated dyadic operation, and Kc be the value 
obtained by converting K with c by using the same 

15 dyadic operation. The values Kc and Kc are stored 

in the memory in advance. Every time encryption or 
decryption is executed, one of the values Kc and Kc 
is randomly selected and processed in the same manner 
as the true key. The resultant data is applied to a 

2 0 plaintext by the above dyadic operation, and inversion 

of the dyadic operation is performed to remove the 
influence of the pattern c or c from the output 
obtained by the dyadic operation. A case wherein the 
present invention is applied to a DES scheme as an 

25 encryption scheme using exclusive OR operation as 

dyadic operation will be described first. First of all, 
two masked keys Kc and Kc are prepared: 
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Kc = K(+)c 
Kc = K(+) c 

where (+) represents an exclusive OR for each bit. 

Prior to encryption or decryption , one of the keys 
5 Kc and Kc is randomly selected, and a key schedule 

process of the DES is performed to sequentially 
generate 16 extended keys. The 16 keys extended from 
Kc are expressed by Kci (1=1, . .., 16), and the keys 
extended from Kc are expressed by Kci (i = 1, 16). 

10 The keys extended from Kc are influenced by the mask c, 

and the keys extended from Kc are influenced by the 
mask c . This influence is determined by the key 
schedule process of the DES. In this case, however, 
the keys extended from the true key K, which is not 

15 masked, according to a key schedule are expressed by Ki 

(i = 1, 16), the exclusive OR of Ki and Kci is 

expressed by ci, and the exclusive OR of Ki and Kci is 
expressed by ci . That is, ci = Ki (+)Kci ci = Ki 
(+)Kci 

20 In the DES, each extended key Ki is applied to 

a message by an exclusive OR for each bit immediately 
after the expansion E. In the present invention, Kci 
or Kci is applied in place of Ki. When Kci is applied, 
its influence is removed by applying ci by exclusive OR 

25 operation after the application of Kci. When Kci is 

applied, its influence is removed by applying ci by 
exclusive OR operation after the application of Kci. 
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The values ci and ci are obtained by enlarging c and c 
according to the key schedule of the DES in the same 
manner as extended keys. The value ci or ci may be 
generated from the mask c or c selected every time 
5 encryption or decryption is performed. However, the 

method of calculating ci and ci in advance is the 
method that can suppress the leakage of information 
most against observation from the outside world. 
In this case, two sets of 16 48-bit masks, i.e., a 

10 total of 1,536 bits, are prepared. When, for example, 

the present invention is applied to IC cards, since 
these masks can be fixed at least for each card, ci 
and ci can be written in the ROM. This is important 
especially for IC cards whose storage capacities are 

15 severely constrained. In general, when the same number 

of bits are to be stored, the area of a ROM is smaller 
than that of a RAM or EEPROM. When a 1,536-bit mask is 
stored in a ROM, the use efficiency of an LSI chip area 
becomes higher than when the mask is stored in a RAM or 

20 EEPROM. 

FIG. 16 shows a key schedule of the DES. 
Referring to FIG. 16, reference symbols (PC - 1) 
111 and (PC - 2) 113 denote functions each constituted 
by a combination of bit selection and a permutation; 

25 and ROT 112, cyclic shift operation. (PC - 1) 111 

discards eight bits of an externally input 64-bit key K 
115 and transfers two 28-bit sequences to the cyclic 
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shift 112. The cyclically shifted data consisting of 
a total of 56 bits is input to (PC - 2) 113 to output 
a 48-bit extended key. Referring to FIG. 16, only 
the extended key corresponding to one round is output. 
5 However, extended keys corresponding to the 2nd, 

3rd, 16th rounds are generated by repeating the 

cyclic shift and PC - 2 . 

FIG. 17 shows the flow of processing in a case 
wherein the present invention is applied to the key 

10 scheduler. 

On the key input round of the key scheduler, Kc 
and Kc are randomly selected by a switch SW31 with a 
probability of almost 1/2 and input to a key scheduler 
122. The subsequent processing in the key scheduler is 

15 the same as key schedule processing in the general DES. 

An extended key 123 to be output is Kci when the input 
key is Kc , and Kci when the input key is Kci. 

FIG. 18 shows how an extended key influenced by 
a mask is applied to a message in each round function. 

2 0 A method of applying Kci or Kci to a message is 

generally the same as the method of applying Ki to 
a message. An exclusive OR 132 applies the extended 
key Kci or Kci to the 4 8 bits output from an expansion 
E 131 in units of bits by exclusive OR operation. 

25 Since the resultant data is influenced by the mask c or 

c, if this data is input to an S-box without any change, 
correct encryption cannot be performed. For this 
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reason, the influence of the mask c or c on the data 
must be removed before it is input to the S-box. 
More specifically, if the influence of the mask is 
represented by ci, ci is applied to the data by 
5 an exclusive OR 133 before the data is input to an 

S-box 134. Since inversion of an exclusive OR is 
an exclusive OR, the influence of ci can be removed. 
This applies to a case wherein the influence of the 
masks is represented by ci . 

10 In this embodiment, if the mask c is selected as 

bit translation of the mask c, the respective bits of 
the extended key uniformly take the values "1" and "0". 
This can prevent leakage of information about the key 
against various types of observation from outside 

15 the encryption apparatus. To minimize leakage of 

information, ci and ci preferably have similar Hamming 
weights. Note, however, that ci is obtained by 
processing c through a key schedule. It is therefore 
difficult to completely control the Hamming weights 

2 0 of ci on all the rounds. Under the circumstances, 

a method of selecting a mask having a Hamming weight 
corresponding to 1/2 the bit size as the original mask 
c may be used. 

FIG. 19 is a flow chart showing the flow of 

2 5 processing in an encryption method according to an 

embodiment, which includes the step of masking bits 
dependent on a plaintext with selected mask patterns 
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and the step of removing the influence of the masks 
described above from the ciphertext before it is output. 

When plaintext data is input (step Ul), at least 
one i-th mask pair is selected (step U2 ) . With this 
5 operation, mask patterns ai (step U3 ) or inverted mask 

patterns a of the mask patterns ai are selected. 
The data is masked with the selected masks (step U5). 
It is checked whether the next mask pair is selected 
(step U6 ) . If the selection of the next masks are 

10 required , the processing is repeated from the step of 

selecting the new i-th mask pair (step U2 ) . If the 
selection of the required mask pair is complete , an 
encryption process of the data is performed (step U7 ) . 
Since the intermediate output data obtained by the 

15 encryption process (step U7 ) has been masked with the 

mask patterns, the i-th mask pair is determined first 
(step U8) to determine whether the mask patterns ai 
were used (step U9 ) or the inverted mask patterns a 
were used (step U10). The masks applied to the data 

2 0 are removed (step Ull). It is then checked whether 

mask removal is complete (step U12). If masks are left, 
the processing is repeated from the step of determining 
the new mask pair (step 8). If mask removal is 
completed by the above steps, the ciphertext is output 

25 (step U13) . 

FIG. 2 0 is a flow chart showing the flow of 
processing in an encryption method according to an 
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embodiment, which includes the step of removing the 
influence of masks from input data to a data transla- 
tion and the step of masking the output data from the 
data translation with mask patterns. 
5 When data is input to the data translation 

(step VI), an i-th mask pair is checked (step V2 ) to 
determine whether mask patterns ai were used (step V3 ) 
or inverted mask patterns a of the mask patterns ai 
were used ( step V4 ) . The masks applied to the data are 

10 removed (step V5 ) . 

It is checked whether mask removal is complete 
(step V6 ) . If masks are left, the processing is 
repeated from the step of checking a new mask pair 
(step V2 ) . If mask removal is completed by the above 

15 steps, data translation is performed (step VI). 

For the output data upon the above data 
translation (step V7 ) , at least one i-th mask pair is 
selected (step V8 ) , and the mask patterns ai (step V9 ) 
or mask patterns a (step V10) are selected. The data 

2 0 is masked with the selected masks (step Vll). It is 

then checked whether the next mask pair is selected 
(step V12). If selection of a mask pair that demands 
selection of the next mask and masking are complete, 
the data is output from the data translation (step V13). 

25 FIG. 21 is a flow chart showing the flow of 

processing in an encryption method according to an 
embodiment, which includes the step of removing the 
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influence of masks from intermediate bit data during 
an encryption procedure and the step of masking the 
data with mask patterns . 

When ciphertext intermediate value as intermediate 
5 encryption bit data is input {step Wl ) , an i-th mask 

pair is checked (step W2 ) to determine whether mask 
patterns ai were used (step W3 ) or inverted mask 
patterns a of the mask patterns ai were used (step W4 ) 
The masks applied to the data are removed (step W5). 

10 It is then checked whether mask removal is 

complete (step W6 ) . If masks are left, the processing 
is repeated from the step of checking a new mask pair 
(step W2 ) . When mask removal is completed by the 
above steps, an encryption process is performed by 

15 an expansion E round function (step W7 ) . 

For the output data from the encryption round 
function (step 7W), at least one i-th mask pair is 
selected to select the mask patterns ai (step W9 ) or 
the inverted mask patterns a (step W10). The data is 

2 0 masked with the selected mask pair (step Wll). It is 

further checked whether the next mask pair is selected 
(step W12). If selection of a mask pair that demands 
selection of the next mask and masking are complete, 
the ciphertext intermediate value is output (step W13). 

25 FIG. 22 is a flow chart associated with an 

encryption procedure according to an embodiment of the 
present invention. When a plaintext is input (step XI) 
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mask patterns for masking the plaintext is selected 
(step X2 ) . Bits dependent on the plaintext are masked 
with the selected mask patterns (step X3). 

For an intermediate value of the encryption data 
5 having undergone the above masking process (step X4 ) , 

mask patterns for masking the input data of a round 
function is selected (step X5 ) . The masks are removed 
from the input data of the round function (step X6). 
Mask patterns for masking an input to the data 

10 translation are selected (step X7 ) . The masks are 

removed from the input data to the data translation 
(step X8). The data translation then converts the 
input data ( step X9 ) . 

Mask patterns for masking the output from the data 

15 translation (step X9) are selected (step X10), and the 

output data from the data translation is masked with 
the mask patterns (step Xll). Mask patterns for 
masking the output data of the round function are 
selected (step X12), and the output data of the round 

20 function is masked with the mask patterns (step X13). 

It is checked whether the above procedure is 
complete up to the nth round (step X14). If the 
processing is not complete, the processing is repeated 
from step X4 . If the processing is complete up to the 

25 nth round, mask patterns that mask the ciphertext are 

selected (step X15), and the masks are removed from 
the bits dependent on the ciphertext (step X16). 
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The finally obtained ciphertext is output (step X17). 

As the processing in steps X2 , X3 , X15, and X16, 
the processing described with reference to FIG. 19 is 
performed. As the processing in steps X5, X6 , X12, and 
5 X13, the processing described with reference to FIG. 20 

is performed. As the processing from step S7 to step 
XI 1, mask determination processing, mask removal, and 
concealment processing using masks are performed in one 
process by using tables calculated in advance and the 

10 like to prevent leakage of intermediate data in process. 

FIG. 23 is a block diagram showing the arrangement 
of an IC card that implements the encryption/decryption 
apparatus, encryption/decryption method, and program 
storage medium therefor according to the present 

15 invention described above. As shown in FIG. 23, an IC 

card 201 includes a CPU 203, RAM 205, ROM 207, EEPROM 
209, and contactor 211. The RAM 205 is used to store 
various data and as a work area or the like. The ROM 
207 is used to store various data, programs, and the 

2 0 like. The EEPROM 2 09 is used to store the programs 

indicated by the flow charts of FIGS. 19 to 22 and the 
like. The contactor 211 obtains electrical contact 
with an IC card reader /writer (not shown). Note that 
the programs shown in FIGS. 19 to 22 may be stored in 

25 the RAM 205 or ROM 207 instead of the EEPROM 209. 

In the above embodiment, the application of the 
present invention to the DES scheme has been described 
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in detail. However, the present invention is not 
limited to this and can be applied to general 
encryption schemes comprised of part or all of the 
following three types of functions, namely dyadic 
operation like exclusive OR operation, a permutation 
equivalent to bit interchange, and cipher system 
equivalent an S-box. 

Additional advantages and modifications will 
readily occur to those skilled in the art. Therefore, 
the invention in its broader aspects is not limited to 
the specific details and representative embodiments 
shown and described herein. Accordingly, various 
modifications may be made without departing from the 
spirit or scope of the general inventive concept as 
defined by the appended claims and their equivalents. 
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CLAIMS 

1 . An encryption apparatus for converting 

a plaintext block into a ciphertext block depending on 
supplied key information, comprising: 
5 means for randomly selecting one pattern of each 

of pairs ai, ai (where i is a positive integer not less 
than one) of one or a plurality of predetermined mask 
patterns and mask patterns obtained by bit inversion of 
the predetermined mask patterns every time encryption 
10 is performed; 

means for masking bits dependent on a plaintext 
within said apparatus with the mask patterns selected 
by said selection means; and 

means for removing an influence of the mask a from 
15 a ciphertext before the ciphertext is output. 

2 . An encryption apparatus for converting a 
plaintext block into a ciphertext block depending on 
supplied key information, comprising: 

means for randomly selecting one pattern of each 
2 0 of pairs ai, ai (where i is a positive integer not less 

than one) of one or a plurality of predetermined mask 
patterns and mask patterns obtained by bit inversion of 
the predetermined mask patterns every time encryption 
is performed; 

25 means for masking intermediate bit data within 

said apparatus with the mask patterns selected by said 
selection means; and 
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means for removing an influence of the mask a from 
the intermediate bit data masked by said masking means. 

3 . An encryption apparatus for converting a 
plaintext block into a ciphertext block depending on 
5 supplied key information, comprising: 

data translation means for performing data 
translation to intermediate data within said apparatus; 

means for randomly selecting one pattern of each 
of pairs ai, ai (where i is a positive integer not less 
10 than one) of one or a plurality of predetermined mask 

patterns and mask patterns obtained by bit inversion of 
the predetermined mask patterns every time encryption 
is performed; 

means for masking an input to said data 
15 translation means with the mask patterns selected by 

said selection means; and 

means for removing an influence of the mask a from 
an output from said data translation means which is 
masked by said masking means. 
20 4 . An apparatus according to claim 1, wherein 

said means for masking the bits dependent on the 
plaintext within said apparatus with the selected mask 
patterns and said means for removing the influence 
of the mask a from the ciphertext comprise one of 
25 an exclusive OR, addition or subtraction with respect 

to a modulus, and multiplication or division with 
respect to the modulus. 
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5. An apparatus according to claim 2, wherein 
said means for masking the intermediate bit data within 
said apparatus with the selected mask patterns and said 
means for removing the influence of the mask a from 

5 the masked intermediate bit data comprise one of an 

exclusive OR, addition or subtraction with respect to 
a modulus, and multiplication or division with respect 
to the modulus . 

6. An apparatus according to claim 3, wherein 

10 said data translation means, said means for masking the 

input to said data translation means with the selected 
mask patterns, and said means for removing the 
influence of the mask a. from the masked output from 
said data translation means comprise one of an 

15 exclusive OR, addition or subtraction with respect to 

a modulus, and multiplication or division with respect 
to the modulus . 

7. An apparatus according to claim 3, further 
comprising: 

2 0 first storage means for storing, in the form of 

a table, said means for randomly selecting one pattern 
of each of the pairs ai, ai (where i is a positive 
integer not less than one) of one or the plurality of 
predetermined mask patterns and the mask patterns 

2 5 obtained by bit inversion of the predetermined mask 

patterns every time encryption is performed, said means 
for masking the input to said data translation means 



with the mask patterns ai, and said means for removing 
the influence of the masks ai from the masked output 
from said data translation means; 

second storage means for storing, in the form of 
5 a table, said means for masking the input to said data 

translation means with mask patterns a , and said means 
for removing an influence of the masks a from the 
masked output from said data translation means; and 

masked data translation means for randomly 
10 selecting one of said first and second storage means 

every time encryption is performed, and performing the 
processing by said data translation means for masked 
data . 

8. An apparatus according to claim 1, wherein the 
15 pair a, a of the mask patterns and the mask patterns 

obtained by bit inversion comprises a pair a, a of 
predetermined fixed mask patterns and mask patterns 
obtained by bit inversion of the fixed mask patterns. 

9. An apparatus according to claim 1, wherein the 
20 pair a, a of the mask patterns and the mask patterns 

obtained by bit inversion are not necessarily concealed. 

10. An apparatus according to claim 1, wherein 
a Hamming weight indicating the number of bits "Is" 
of an n-bit long bit sequence x is defined as H(x), 

25 and the Hamming weight H(a) of the mask a satisfies 

0 < H(a) < n. 

11. An apparatus according to claim 1, wherein 
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a Hamming weight indicating the number of bits "Is" of 
an n-bit long bit sequence x is defined as H(x), and 
an absolute value of a difference between the Hamming 
weight H(a) of the mask a and a Hamming weight H(a) of 
5 bit inversion a of the mask a is less than n/2. 

12. A decryption apparatus for converting a 
ciphertext block into a plaintext block depending on 
supplied key information, comprising: 

means for randomly selecting one pattern of each 
10 of pairs ai, ai (where i is a positive integer not less 

than one) of one or a plurality of predetermined mask 
patterns and mask patterns obtained by bit inversion of 
the predetermined mask patterns every time decryption 
is performed; 

15 means for masking bits dependent on a ciphertext 

within said apparatus with the mask patterns selected 

by said selection means; and 

means for removing an influence of the mask a from 

a plaintext before the plaintext is output. 
2 0 13. A decryption apparatus for converting a 

ciphertext block into a plaintext block depending on 

supplied key information, comprising: 

means for randomly selecting one pattern of each 

of pairs ai, ai (where i is a positive integer not less 
2 5 than one) of one or a plurality of predetermined mask 

patterns and mask patterns obtained by bit inversion of 

the predetermined mask patterns every time decryption 
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is performed; 

means for masking intermediate bit data within 
said apparatus with the mask patterns selected by said 
selection means; and 

means for removing an influence of the mask a from 
the intermediate bit data masked by said masking means. 

14. A decryption apparatus for converting a 
ciphertext block into a plaintext block depending on 
supplied key information, comprising: 

data translation means for performing data 
translation to intermediate data within said apparatus; 

means for randomly selecting one pattern of each 
of pairs ai, ai (where i is a positive integer not less 
than one) of one or a plurality of predetermined mask 
patterns and mask patterns obtained by bit inversion of 
the predetermined mask patterns every time decryption 
is performed; 

means for masking an input to said data transla- 
tion means with the mask patterns selected by said 
selection means; and 

means for removing an influence of the mask a from 
an output from said data translation means which is 
masked by said masking means. 

15. An apparatus according to claim 12, wherein 
said means for masking the bits dependent on the 
plaintext within said apparatus with the selected mask 
patterns and said means for removing the influence of 
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the mask a from the ciphertext comprise one of an 
exclusive OR, addition or subtraction with respect to 
a modulus, and multiplication or division with respect 
to the modulus . 
5 16. An apparatus according to claim 13, wherein 

said means for masking the intermediate bit data within 
said apparatus with the selected mask patterns and said 
means for removing the influence of the mask a from 
the masked intermediate bit data comprise one of an 
10 exclusive OR, addition or subtraction with respect to 

a modulus w., and multiplication or division with 
respect to the modulus w.. 

17. An apparatus according to claim 15, wherein 
said data translation means, said means for masking the 

15 input to said data translation means with the selected 

mask patterns, and said means for removing the 
influence of the mask a from the masked output from 
said data translation means comprise one of an 
exclusive OR, addition or subtraction with respect to 

2 0 a modulus, and multiplication or division with respect 

to the modulus. 

18. An apparatus according to claim 14, further 
comprising : 

first storage means for storing, in the form of 
25 a table, said means for randomly selecting one pattern 

of each of the pairs ai, ai (where i is a positive 
integer not less than one) of one or the plurality of 
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predetermined mask patterns and the mask patterns 
obtained by bit inversion of the predetermined mask 
patterns every time decryption is performed, said means 
for masking the input to said data translation means 
5 with the mask patterns ai, and means for removing the 

influence of the masks ai from the masked output from 
said data translation means; 

second storage means for storing, in the form of 
a table, means for masking the input to said data 

10 translation means with mask patterns a , and means for 

removing an influence of the masks a from the masked 
output from said data translation means; and 

masked data translation means for randomly 
selecting one of said first and second storage means 

15 every time decryption is performed, and performing the 

processing by said data translation means for masked 
data. 

19. An apparatus according to claim 12, wherein 
the pair a, a of the mask patterns and the mask 

20 patterns obtained by bit inversion comprises a pair 

a, a of predetermined fixed mask patterns and mask 
patterns obtained by bit inversion of the fixed mask 
patterns . 

20. An apparatus according to claim 13, wherein 
25 the pair ai, ai of the mask patterns and the mask 

patterns obtained by bit inversion are not necessarily 
concealed . 
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21. An apparatus according to claim 12, wherein 
a Hamming weight indicating the number of bits "Is" 
of an n-bit long bit sequence x is defined as H(x), 
and the Hamming weight H(a) of the mask a satisfies 

5 0 < H(a) < n. 

22. An apparatus according to claim 12, wherein 

a Hamming weight indicating the number of bits "Is" of 
an n-bit long bit sequence x is defined as H(x), and 
an absolute value of a difference between the Hamming 
10 weight H(a) of the mask a and a Hamming weight H(a) of 

bit inversion a of the mask a is less than n/2. 

23. An encryption method of converting a plaintext 
block into a ciphertext block depending on supplied key 
information, comprising the steps of: 

15 randomly selecting one pattern of each of pairs 

ai, ai (where i is a positive integer not less than 
one) of one or a plurality of predetermined mask 
patterns and mask patterns obtained by bit inversion of 
the predetermined mask patterns every time encryption 
20 is performed; 

masking bits dependent on a plaintext within the 
method with the selected mask patterns; and 

removing an influence of the mask a. from 
a ciphertext before the ciphertext is output. 
2 5 2 4. An encryption method of converting a plaintext 

block into a ciphertext block depending on supplied key 
information, comprising the steps of: 



53 



randomly selecting one pattern of each of pairs 
ai, ai (where i is a positive integer not less than 
one) of one or a plurality of predetermined mask 
patterns and mask patterns obtained by bit inversion of 
5 the predetermined mask patterns every time encryption 

is performed; 

masking intermediate bit data within the method 
with the selected mask patterns; and 

removing an influence of the mask a from the 
10 masked intermediate bit data. 

25. An encryption method of converting a plaintext 
block into a ciphertext block depending on supplied key 
information, comprising the steps of: 

performing data translation to intermediate data 
15 within the method; 

randomly selecting one pattern of each of pairs 
ai, ai (where i is a positive integer not less than 
one) of one or a plurality of predetermined mask 
patterns and mask patterns obtained by bit inversion of 
20 the predetermined mask patterns every time encryption 
is performed; 

masking an input to the data translation step with 
the selected mask patterns; and 

removing an influence of the mask a from a masked 
25 output from the data translation step. 

26. A method according to claim 23 , wherein the 
step of masking the bits dependent on the plaintext 



- 54 - 



within the method with the selected mask patterns 
and the step of removing the influence of the mask a 
from the ciphertext comprise one of an exclusive OR, 
addition or subtraction with respect to a modulus, and 
5 multiplication or division with respect to the modulus. 

27. A method according to claim 24, wherein the 
step of masking the intermediate bit data within the 
method with the selected mask patterns and the step of 
removing the influence of the mask a from the masked 

10 intermediate bit data comprise one of an exclusive OR, 

addition or subtraction with respect to a modulus, and 
multiplication or division with respect to the modulus. 

28. A method according to claim 25, wherein the 
data translation step, the step of masking the input 

15 to the data translation step with the selected mask 

patterns, and the step of removing the influence of the 
mask a from the masked output from the data translation 
step comprise one of an exclusive OR, addition or 
subtraction with respect to a modulus, and multiplica- 

20 tion or division with respect to the modulus. 

29. A method according to claim 25, further 
comprising the steps of: 

storing, in the form of a table, the step of 
randomly selecting one pattern of each of the pairs 
25 ai, ai (where i is a positive integer not less than 

one) of one or the plurality of predetermined mask 
patterns and the mask patterns obtained by bit 
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inversion of the predetermined mask patterns every time 
encryption is performed, the step of masking the input 
to said data translation step with the mask patterns ai, 
and the step of removing the influence of the masks ai 
5 from the masked output from the data translation step; 

storing, in the form of a table, the step of 
masking the input to said data translation step with 
mask patterns a , and step of removing an influence 
of the masks a from the masked output from the data 

10 translation step; and 

randomly selecting one of the first and second 
storage steps every time encryption is performed, and 
performing the processing in the data translation step 
for masked data. 

15 3 0. A method according to claim 23, wherein the 

pair a, a of the mask patterns and the mask patterns 
obtained by bit inversion comprises a pair a, a of 
predetermined fixed mask patterns and mask patterns 
obtained by bit inversion of the fixed mask patterns . 

2 0 31. A method according to claim 23, wherein that 

the pair a, a of the mask patterns and the mask 
patterns obtained by bit inversion are not necessarily 
concealed. 

32. A method according to claim 23, wherein 
25 a Hamming weight indicating the number of bits "Is" 

of an n-bit long bit sequence x is defined as H(x), 
and the Hamming weight H(a) of the mask a satisfies 
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0 < H(a) < n. 

33. A method according to claim 23, wherein 

a Hamming weight indicating the number of bits "Is" of 
an n-bit long bit sequence x is defined as H(x), and 
5 an absolute value of a difference between the Hamming 

weight H(a) of the mask a and a Hamming weight H(a) of 
bit inversion a of the mask a is less than n/2. 

34. A decryption method of converting a ciphertext 
block into a plaintext block depending on supplied key 

10 information, comprising the steps of: 

randomly selecting one pattern of each of pairs 
ai, ai (where i is a positive integer not less than 
one) of one or a plurality of predetermined mask 
patterns and mask patterns obtained by bit inversion of 
15 the predetermined mask patterns every time decryption 

is performed; 

masking bits dependent on a ciphertext within the 
method with the selected mask patterns; and 

removing an influence of the mask a from 
2 0 a plaintext before the plaintext is output. 

35. A decryption method of converting a ciphertext 
block into a plaintext block depending on supplied key 
information, comprising the steps of: 

randomly selecting one pattern of each of pairs 
25 ai, ai (where i is a positive integer not less than 

one) of one or a plurality of predetermined mask 
patterns and mask patterns obtained by bit inversion of 
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the predetermined mask patterns every time decryption 
is performed; 

masking intermediate bit data within the method 
with the selected mask patterns; and 
5 removing an influence of the mask a from the 

masked intermediate bit data. 

36. A decryption method of converting a ciphertext 
block into a plaintext block depending on supplied key 
information, comprising the steps of: 

10 performing data translation to intermediate data 

within the method; 

randomly selecting one pattern of each of pairs 
ai, ai (where i is a positive integer not less than 
one) of one or a plurality of predetermined mask 
15 patterns and mask patterns obtained by bit inversion of 

the predetermined mask patterns every time decryption 
is performed; 

masking an input to the data translation step with 
the selected mask patterns; and 
20 removing an influence of the mask a from a masked 

output from the data translation step. 

37. A method according to claim 34, wherein 
that the step of masking the bits dependent on the 
ciphertext within the method with the selected mask 

25 patterns and the step of removing the influence of the 

mask a from the plaintext comprise one of an exclusive 
OR, addition or subtraction with respect to a modulus w., 



and multiplication or division with respect to the 
modulus 52. 

38. A method according to claim 35, wherein the 
step of masking the intermediate bit data within the 
method with the selected mask patterns and the step of 
removing the influence of the mask a from the masked 
intermediate bit data comprise one of an exclusive OR, 
addition or subtraction with respect to a modulus, and 
multiplication or division with respect to the modulus. 

39. A method according to claim 36, wherein the 
data translation step, the step of masking the input 
to the data translation step with the selected mask 
patterns, and the step of removing the influence of the 
mask a from the masked output from the data translation 
step comprise one of an exclusive OR, addition or 
subtraction with respect to a modulus, and multiplica- 
tion or division with respect to the modulus. 

40. A method according to claim 36, further 
comprising the steps of: 

storing, in the form of a table, the step of 
randomly selecting one pattern of each of the pairs 
ai, ai (where i is a positive integer not less than 
one) of one or the plurality of predetermined mask 
patterns and the mask patterns obtained by bit 
inversion of the predetermined mask patterns every time 
decryption is performed, the step of masking the input 
to said data translation step with the mask patterns ai, 
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and the step of removing the influence of the masks ai 
from the masked output from the data translation step; 

storing, in the form of a table, the step of 
masking the input to said data translation step with 
5 mask patterns a , and step of removing an influence 

of the masks a from the masked output from the data 
translation step; and 

randomly selecting one of the first and second 
storage steps every time decryption is performed, and 
10 performing the processing in the data translation step 

for masked data. 

41. A method according to claim 34, wherein the 
pair a, a of the mask patterns and the mask patterns 
obtained by bit inversion comprises a pair a, a of 

15 predetermined fixed mask patterns and mask patterns 

obtained by bit inversion of the fixed mask patterns. 

42. A method according to claim 34, wherein the 
pair a, a of the mask patterns and the mask patterns 
obtained by bit inversion are not necessarily concealed. 

2 0 43. A method according to claim 34, wherein 

a Hamming weight indicating the number of bits "Is" 
of an n-bit long bit sequence x is defined as H(x), 
and the Hamming weight H(a) of the mask a satisfies 
0 < H(a) < n. 

2 5 4 4. A method according to claim 34, wherein 

a Hamming weight indicating the number of bits "Is" 

of an n-bit long bit sequence x is defined as H(x), and 
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an absolute value of a difference between the Hamming 
weight H(a) of the mask a and a Hamming weight H(a) of 
bit inversion a of the mask a is less than n/2 . 

45. A computer-usable program storage medium 
5 storing computer-readable program code means for 

converting a plaintext block into a ciphertext block 
depending on supplied key information, comprising: 

computer-readable program code means for causing 
a computer to randomly select one pattern of each of 
10 pairs ai, ai (where i is a positive integer not less 

than one) of one or a plurality of predetermined mask 
patterns and mask patterns obtained by bit inversion of 
the predetermined mask patterns every time encryption 
is performed; 

15 computer-readable program code means for causing 

said computer to mask bits dependent on a plaintext 
within the method with the selected mask patterns; and 

computer-readable program code means for causing 
said computer to remove an influence of the mask a from 

20 a ciphertext before the ciphertext is output. 

46. An encryption apparatus for converting 

a plaintext block into a ciphertext block depending 
on supplied key information, comprising: 

means for randomly selecting one pattern of each 
25 of pairs ai, ai (where i is a positive integer not less 

than one) of one or a plurality of predetermined mask 
patterns and mask patterns obtained by bit inversion of 



the predetermined mask patterns every time encryption 
is performed; 

means for masking bits dependent on a key within 
said apparatus with the mask patterns selected by said 
5 selection means; 

data translation means for converting intermediate 
data within said apparatus with the key; and 

means for removing an influence of the mask a from 
an output from said data translation means. 
10 47. An apparatus according to claim 46, wherein 

the pair a, a of the mask patterns and the mask 
patterns obtained by bit inversion comprises a pair 
a, a of predetermined fixed mask patterns and mask 
patterns obtained by bit inversion of the fixed mask 
15 patterns. 

48. An apparatus according to claim 46, wherein 
the pair a, a of the mask patterns and the mask 
patterns obtained by bit inversion are not necessarily 
concealed. 

2 0 4 9. An apparatus according to claim 4 6, wherein 

a Hamming weight indicating the number of bits "Is" 
of an n-bit long bit sequence x is defined as H(x), 
and the Hamming weight H{a) of the mask a satisfies 
0 < H(a) < n. 

25 50. An apparatus according to claim 46, wherein 

a Hamming weight indicating the number of bits "Is" of 
an n-bit long bit sequence x is defined as H(x), and 
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an absolute value of a difference between the Hamming 
weight H(a) of the mask a and a Hamming weight H(a) of 
bit inversion a of the mask a is less than n/2. 
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ABSTRACT OF THE DISCLOSURE 
A pair of a pattern of a mask and a mask pattern 
obtained by bit inversion of the mask is prepared for 
each round function in a data scrambler. Every time 
encryption is to be performed, one mask pattern of the 
pair is randomly selected by a switch, and an exclusive 
OR of an input to an S-box and the selected mask 
pattern is calculated. In addition, an exclusive OR 
of an output from the S-box and bits of inverse 
permutation of the mask is calculated. The exclusive 
ORs are calculated in advance and stored as a table in 
the S-box. Furthermore, an exclusive OR of the output 
from each round function and a mask is calculated and 
concealed. The influence of the mask is removed by 
calculating the exclusive OR with the mask again on the 
next round. 
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